Systems and methods for aggregating asset vulnerabilities

ABSTRACT

In a system for determining vulnerabilities associated with a web property, a network accessible server associated with the property is identified. One or more software components/subsystems associated with that server and, optionally, one or more versions of that component/subsystem are identified. For the identified components and versions thereof, vulnerability information is obtained from a database and compiled to determine vulnerability of the web property, without requiring access to any code of the software components/subsystems.

FIELD OF THE INVENTION

This disclosure generally relates to vulnerability assessment ofcomputer systems and, more particularly, to systems and methods foridentifying and aggregating vulnerabilities associated with a networkaccessible server such as a web server.

BACKGROUND OF THE INVENTION

A web property often includes a network accessible server such as a webserver for providing a web service, a secure shell server (SSH), etc. Ingeneral, a network accessible server is a system that receives requestsfrom client computers such as laptops, tablets, smart phones, etc., ofInternet users and also from other servers in a network, and responds tosuch requests by providing content and/or one or more functionalities tothe clients. For example, a web server may: stream audio/video files,perform a web search, run a database query in response to a clientrequest to provide the requested information, monitor and control aphysical system, translate the rendered content from one language intoanother, etc. A web server may be distributed across several physicalcomputers/servers and a single physical server can be configured as twoor more web servers. An SSH server may permit a client computer toaccess protected computing resources.

In order to provide a service, a network accessible server typicallyruns one or more software applications. In some instances, one softwareapplication may invoke another software application, e.g., to delegateto the other software application a part of the operations correspondingto the requested service. Some of these different software applicationsassociated with a network accessible server may include vulnerabilitiessuch as allowing unauthorized access to client data, commonly calleddata breach, permitting the network accessible server to be hijacked bya malicious user in furtherance of attacks against other web properties,etc. In some instances, a software application used by a networkaccessible server may include malware, viruses, etc., and the executionof such a software application in the course of rendering a requestedservice to a client, therefore, can cause harm to the client.

A web property such as a network accessible server can be owned directlyor indirectly by an entity. Usually, the owner entity is liable for anyproblems associated with a web property, such as those that can becaused by one or more software applications used by a network accessibleserver. Direct ownership generally occurs when the entity develops orcontracts a third party to develop a web property. For example, theowner entity may develop or contractually acquire various softwareapplications to be used in rendering one or more web services. As such,under direct ownership, the owner entity can typically enforceprocedures to minimize any problems occurring with a web property/serverfor which the owner entity may be liable. Problems of which the ownerentity is not aware may nevertheless exit in association with somedirectly owned web properties in part because a typical web serviceoften uses a number of software applications/components that areinterrelated in a complex manner, and several of these components may beobtained from different third parties. As such, in some instances, theowner is unaware of all of the software applications/components that areused by a particular web property/server, and some of these softwareapplications/components may have vulnerabilities.

Indirect ownership can occur when an entity may not actively developand/or manage a web property/server and may not actively control suchdevelopment/management, but may acquire rights to the webproperty/server through business/legal transactions such as mergers,acquisitions, etc. As such, an indirect owner often does not know thesoftware applications/components contents, attributes, implementationdetails, security details, or other characteristics of the indirectlyowned web property/server, so as to implement procedures that canminimize the occurrence of problems with that web property/server. Insome instances, an indirect owner may not even know the existence ofsome of the owned web properties/servers. Nevertheless, an indirectowner entity may be responsible or liable for any problems associatedwith any indirectly owned web property/server, including theconsequences of any failures of the web property/server, theconsequences of attacks against the web property/server, and any harmfuloperations performed by the web property/server.

Certain vulnerabilities in both directly owned and acquired softwareapplications/components can be identified by analyzing source and/ormachine-readable code of the software. Such testing, however, can betime consuming and onerous, and may need to be repeated when any of thesoftware applications/components is changed substantially. Moreover, aweb property owner may not be willing to or may even be unable to grantaccess to the software code to a third party tester.

SUMMARY OF THE INVENTION

Various embodiments described herein feature identifying anyvulnerabilities associated with a network accessible server withoutanalyzing source and/or machine-readable code of any of the softwareapplications/components used by the network accessible server. This isachieved, at least in part, by recording one or more responses to one ormore requests to a network accessible server, and by analyzing thereceived responses to identify the software components (which mayinclude software applications, subsystems, components, etc.) used by thenetwork accessible server. Particular versions of various softwarecomponents may also be identified. Information on vulnerabilitiesassociated with each software component and particular versions thereof,if identified, is then obtained from a database. That vulnerabilityinformation is aggregated to determine the vulnerability of a networkaccessible server.

Accordingly, in one aspect, a method is provided for determining whethera set of assets (e.g., web properties) of an entity has one or moreweaknesses. The method includes performing by a processor the steps of:(a) receiving from a first asset in the set of assets a first set ofresponses to one or more queries. The first set of responses may includea first set of attributes of one or more software components associatedwith the first asset. The one or more queries may be sent to the firstasset via a network. The method also includes (b) analyzing the firstset of attributes to identify the one or more software componentsassociated with the set of assets, and (c) obtaining, from a repository,information on at least one of the one or more identified softwarecomponents. The method further includes (d) determining using theinformation whether the first asset and, hence, the set of assets, has aweakness.

The first asset may include a web application server (also called a webserver) and/or a secure shell (SSH) server. In some embodiments, therepository includes a software component properties database and/or asoftware component index. Obtaining information from a repository mayinclude transmitting one or more attributes of one or more identifiedsoftware components to the repository, e.g., through a network. Aresponse in the set of responses may include a hypertext transferprotocol (HTTP) response and/or a banner. The response may include aheader and a body. In some embodiments each one of the set of responsesis related to a respective user agent. An attribute from the first setof attributes of software components may include one or more of: asoftware component name attribute, a software component versionattribute, and a unique identifier (ID) corresponding to a softwarecomponent.

In some embodiments, the set of responses includes a first response thatincludes a software component name attribute and a version attribute,and a second response that also includes a software component nameattribute and a version attribute. Analyzing the first set of attributesmay include designating as a first software component a softwarecomponent corresponding to the name attribute in the first response. Thename attribute in the second response may be compared with the nameattribute in the first response. In some embodiments, if the nameattribute in the second response does not match the name attribute inthe first response, the method further include designating as a secondsoftware component a software component corresponding to the nameattribute in the second response. If the name attribute in the secondresponse matches the name attribute in the first response, the methodmay include associating the version attributes in the first and secondresponses with the first software component. The method may includeidentifying an older one of the versions indicated by the versionattributes in the first and second responses.

In some embodiments, obtaining information on any one of the severalsoftware components includes receiving a first report on the firstsoftware component using the version attribute in the first responseand, optionally, receiving a second report on the first softwarecomponent using the version attribute in the second response.Determining whether the set of assets has one or more weaknesses mayinclude evaluating if one or more of the first and the optional secondreports indicates a vulnerability associated with the first softwarecomponent. In some embodiments, the method includes identifying anadditional software component from the information received from therepository, where the additional software component is implied by atleast one of the several software components identified in step (b). Themethod may also include obtaining, from the repository, additionalinformation on the identified additional software component, anddetermining using the additional information whether the set of assetshas a weakness, e.g., as described above.

In some embodiments, the set of assets includes a second asset, and themethod includes comprising, prior to performing step (b), (e) receivingfrom the second asset a second set of responses to one or more queries.The second set of responses may include a second set of attributes ofone or more software components associated with the second asset. Themethod may also include: (f) adding to the first set of attributes thesecond set of attributes. In this way, when the vulnerabilities aredetermined by analyzing the attributes in the first set of assets,vulnerabilities corresponding to software components used by both thefirst and second assets may be identified. In some embodiments, themethod includes receiving, in memory, a list of resources and scanning,using a resource scanner, each resource in the list, to obtain the setof assets associated with an entity. Prior to performing step (b), steps(e) and (f) may be repeated for each asset in the set of assets, todetermine if the set of various assets associated with the entity has aweakness. A resource in the list of resources may include a domain name,an Internet protocol (IP) address, or a CIDR block. Resource scanningmay include one or more of port scanning, idle scanning, domain nameservice (DNS) lookup, and subdomain brute-forcing.

In another aspect, a computer system includes a first processor and afirst memory coupled to the first processor. The first memory includesinstructions which, when executed by a processing unit that includes thefirst processor and/or a second processor, program the processing unit,that is in electronic communication with a memory module that includesthe first memory and/or a second memory, to: (a) receive from a firstasset in the set of assets a first set of responses to one or morequeries. The first set of responses may include a first set ofattributes of one or more software components associated with the firstasset. The instructions also program the processing unit to: (b) analyzethe first set of attributes to identify the one or more softwarecomponents associated with the set of assets. Moreover, the instructionsprogram the processing unit to: (c) obtain, from a repository,information on at least one of the one or more identified softwarecomponents, and (d) determine using the information whether the set ofassets has a weakness.

In some embodiments, the instructions program the processing unit totransmit the queries to the first asset, and to determine from thereceived first set of responses if the first asset includes a webapplication server or a secure shell (SSH) server. The instructions mayalso program the processing unit to transmit one or more of the queriesaccording to a user agent, where one or more responses in the set ofresponses are related to the user agent. In some embodiments, the set ofassets includes a second asset, and the instructions program theprocessing unit to: (e) receive from the second asset a second set ofresponses to one or more queries. The second set of responses mayinclude a second set of attributes of one or more software componentsassociated with the second asset. The instructions may also program theprocessing unit to: (f) add to the first set of attributes the secondset of attributes, prior to analyzing by the processing unit the firstset of attributes to identify the one or more software componentsassociated with the set of assets.

In some embodiments, the instructions program the processing unit toreceive in memory a list of resources, and scan, using a resourcescanner, each resource in the list, to obtain the set of assetsassociated with an entity, to determine if the set of assets associatedwith the entity has a weakness. The instructions may program theprocessing unit to perform as the resource scanner. In variousembodiments, the instructions can program the processing unit to performone or more of the method steps described above.

In another aspect, an article of manufacture that includes anon-transitory storage medium has stored therein instructions which,when executed by a processor program the processor, which is inelectronic communication with a memory, to: (a) receive from a firstasset in the set of assets a first set of responses to one or morequeries. The first set of responses may include a first set ofattributes of one or more software components associated with the firstasset. The instructions also program the processor to: (b) analyze thefirst set of attributes to identify the one or more software componentsassociated with the set of assets. Moreover, the instructions programthe processor to: (c) obtain, from a repository, information on at leastone of the one or more identified software components, and (d) determineusing the information whether the set of assets has a weakness. Invarious embodiments, the stored instructions can program the processorto perform one or more of the method steps described above.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the present invention taught herein areillustrated by way of example, and not by way of limitation, in thefigures of the accompanying drawings, in which:

FIG. 1 schematically depicts a vulnerability analysis system, accordingto one embodiment;

FIG. 2 shows an example of intermediate results obtained using anembodiment of a vulnerability analysis system; and

FIG. 3 schematically depicts a system for identifying domains and/orsubdomains likely owned by an entity, according to one embodiment.

DETAILED DESCRIPTION

With reference to FIG. 1, a domain scanner 102 identifies one or morenetwork accessible servers (e.g., web server 104), that are associatedwith a specified domain/subdomain 106 such as XYZ.com, www.XYZ.com,w3.PQR.org, etc. To this end, the domain scanner 102 may send a requestsuch as a hyper-text transfer protocol (HTTP) request, Web Request,etc., to various Internet Protocol (IP) addresses associated with thedomain/subdomain 106. The domain scanner 102 may designate any serverresponding to such a request a network accessible server. The responsesmay be recorded and/or forwarded to a component analyzer 108. In oneembodiment, the domain scanner 102 selects a particular networkaccessible server (e.g., the web server 104) and sends additionalrequests to the web server 104. Each request may correspond to adifferent user agent such as Firefox™, Internet Explorer™, Chrome™, amobile device user agent, etc. The corresponding responses from the webserver 104 and an identifier of the web server are forwarded to thecomponent analyzer 108. In some embodiments, the domain scanner 102selects each server designated as a network accessible server, sendsadditional requests thereto, and forwards the received responses and anidentifier for that network accessible server to the component analyzer108. A response may include a header and a body, and a header can be anHTTP header, a banner, etc. In some embodiments, only the header portionof a response is forwarded to the component analyzer 108. In someembodiments, another module instead of or in addition to the domainscanner 102 sends requests to one or more network accessible servers(e.g., the web server 104).

The description below refers to web servers for the sake of convenience,but it should be understood that the systems and methods describedherein are not limited to web servers only and can analyze various typesof network accessible servers. The component analyzer 108 analyzes theresponses received from a particular web server (e.g., the web server104) and identifies software components therein. The types or categoriesof components/software subsystems/technologies identified by thecomponent analyzer 108 include but are not limited to content managementsystems, e-Commerce platforms, JavaScript frameworks, etc. The componentanalyzer 108 may also have knowledge about typical relationships betweensoftware components. For example, if the component analyzer 108determines that the web server 104 uses Component A (e.g., Wordpress),the component analyzer 108 may determine, using a knowledgebase thereof,that the web server 104 uses Component B (e.g., PHP), as well.

In identifying a software component, the component analyzer 108typically determines one or more attributes of the component. Commonattributes include the component name and the component version. In someembodiments, the component attributes that are determined include aunique identifier associated with the software component. With referenceto FIG. 2, the component analyzer 108 analyzed five different responsesfrom the web server 104 in which, from the first response, the componentanalyzer determined that the web server 104 uses “Component A” version“1.1.” From the next two responses, the component analyzer 108determined again, by comparing the name attributes, that the web server104 uses “Component A,” but determined that versions “1.6” and “1.4”thereof are used. Some web servers may in fact use different versions ofthe same component in different contexts, e.g., with different useragents. In some instances, different versions of the same component(e.g., jQuery) may be loaded with a single user agent. Therefore,different responses can identify different versions of the samecomponent. From the fourth response, the component analyzer 108determined again that the web server 104 uses “Component A,” but did notidentify the particular version used from the fourth response. In someinstances, the component analyzer 108 may identify a version of asoftware component used, but may not be able to determine the namethereof. From the fifth response, the component analyzer 108 determinedby comparing the name attributes that the web server 104 uses anothercomponent, “Component B” version “1.4.”

It should be understood that the analysis of responses described withreference to FIG. 2 is illustrative only and that in general, acomponent analyzer may analyze any number of responses. For example, thecomponent analyzer 108 may analyze 1, 2, 6, 10, 25, 100, 140, 200, etc.,messages from each of several e.g., 2, 3, 5, 10, etc., web servers. Ingeneral, the number of software components used by a web server that acomponent analyzer may identify can be any number such as 1, 3, 7, 8,10, 15, 20, etc. The identified software components may include softwarecomponents implied by other identified software components. In variousembodiments, the version numbers can include names and numbers, and aversion number, in general, can be any character or string of any lengthof any letters, numbers, and/or characters. While FIG. 2 depicts thatthe component analyzer 108 stores the information about softwarecomponents as a JSON object, different embodiments of a componentanalyzer may use other structures such as linked lists, arrays, trees,heaps, hash tables, etc., to store and to analyze further the extractedinformation.

Referring back to FIG. 1, after identifying at least some of thesoftware components used by a web server, an aggregator 110 processesthe list of identified components. For example, the aggregator 110 mayremove duplicates. In some embodiments, a component is considered to bea duplicate of another component if the two components have the samename and other attributes, e.g., the same version number. From ade-duplicated list, the aggregator 110 may optionally sort theidentified versions of each component, and may optionally identify thelatest and/or the oldest version. To this end, the component analyzermay employ alpha-numeric sorting. In some embodiments, the aggregator110 queries a database that provides the release date associated with aspecified version of a specified component. This analysis can be usefulbecause in some instances a vulnerability in an older version of asoftware component is cured in a later version. On the other hand, insome instances, a newer version has a vulnerability that did not existin an older version or the older version was tested for vulnerabilitiesbut the newer version was not and, hence, vulnerability information isavailable only for an older version. The aggregator 110 may alsoidentify the most frequently and/or least frequently used versions of anidentified software component.

For a selected version (e.g., the latest, oldest, most frequentlyoccurring, etc.) of an identified software component, the aggregator 110queries one or more databases 112 to obtain vulnerability informationabout that version of the software component. A database 112 may includea software component properties database and/or a software componentindex, and may be provided by a third party (e.g., Mitre.org, GitHub,etc.) or may be a proprietary database. The aggregator 110 may accessthe database 112 directly (e.g., through a proprietary network) and/orthrough a public network (e.g., the Internet). In some embodiments, theaggregator 110 obtains vulnerability information from the databases 112for one or more selected versions (e.g., all versions) of one or moreselected software components (e.g., all software components) determinedto be associated with a selected web server determined to be belongingto a specified owner entity. This process may be repeated for one ormore (e.g., all) other web servers determined to be belonging to thatowner entity, and for other owner entities, as well. In addition to thevulnerability information, the databases 112 may provide the releasedates of the specified versions of the specified software components.

For a selected web server (e.g., the web server 104), the aggregator 110compiles the vulnerability information to determine vulnerability of theselected web server. In general, the vulnerability of a web server maydepend on parameters such as the number of software components used bythe web server where at least one version of the software component isreported as vulnerable by the database 112, the number of identifiedsoftware components where each version or a significant number ofversions are reported as vulnerable. In this context, significant can be90% of all versions, 80% of all versions, 50% of all versions, etc. Insome embodiments, the parameters may include respective degrees ofvulnerabilities associated with various versions of various softwarecomponents.

The parameters may also include a known or an expected frequency of useof a particular version and/or known or expected frequency at which theweb server provides a service for which a particular component is used.A particular web server may provide two or more web services, where adifferent set of software components is used in rendering each service.As such, if a web server uses a version of a component reported to bevulnerable to facilitate a service that is provided infrequently, theweb server may be designated as vulnerable, but to a lesser degree thanif a version of a component reported to be vulnerable is used tofacilitate a service that is provided relatively frequently.

The aggregator 110 can thus provide a measure of vulnerability of one ormore web servers belonging to an owner entity. The vulnerabilityanalysis may be performed periodically and/or when a significant changeis made to a web server. The aggregator 110 performs the vulnerabilityanalysis using responses to requests sent to a web server and, as such,the aggregator 110 can perform the vulnerability analysis remotely,without requiring access to any source code or machine-readable code ofthe web server.

In some situations, an owner entity may not be aware of all of the webproperties owned by the entity and for which the entity may be liable.In these situations, with reference to FIG. 3, a resource scanner 302can receive information such as domain names and/or subdomain names 304a that are known to be owned by the entity, Internet protocol (IP)addresses 304 b that are associated with the entity, and/or classlessinter-domain routing (CIDR) blocks 304 c. Using this information, theresource scanner 302 can generate a list 306 of domains and subdomainnames owned by the entity. To this end, the scanner may employ one ormore of port scanning, which can include transmission control protocol(TCP) scanning, protocol scanning, etc., idle scanning, domain namesearch (DNS) lookup, which may include one or more of standard DNSqueries, zone transfer queries, and reverse DNS lookups, search usingAPIs provided by search engines, and subdomain brute-forcing on domainnames, to identify the domains/subdomains that may be owned by theentity. One or more network accessible servers may be associated witheach identified domain/subdomain. The domain scanner 102 (described withreference to FIG. 1) can identify these servers, for which the ownerentity may be liable. The procedures described above with reference toFIGS. 1 and/or 2 may be applied to each identified network accessibleserver associated with each identified domain/subdomain to determineweaknesses associated with various web properties.

It is clear that there are many ways to configure the device and/orsystem components, interfaces, communication links, and methodsdescribed herein. The disclosed methods, devices, and systems can bedeployed on convenient processor platforms, including network servers,personal and portable computers, and/or other processing platforms.Other platforms can be contemplated as processing capabilities improve,including personal digital assistants, computerized watches, cellularphones and/or other portable devices. The disclosed methods and systemscan be integrated with known network management systems and methods. Thedisclosed methods and systems can operate as an SNMP agent, and can beconfigured with the IP address of a remote machine running a conformantmanagement platform. Therefore, the scope of the disclosed methods andsystems are not limited by the examples given herein, but can includethe full scope of the claims and their legal equivalents.

The methods, devices, and systems described herein are not limited to aparticular hardware or software configuration, and may findapplicability in many computing or processing environments. The methods,devices, and systems can be implemented in hardware or software, or acombination of hardware and software. The methods, devices, and systemscan be implemented in one or more computer programs, where a computerprogram can be understood to include one or more processor executableinstructions. The computer program(s) can execute on one or moreprogrammable processing elements or machines, and can be stored on oneor more storage medium readable by the processor (including volatile andnon-volatile memory and/or storage elements), one or more input devices,and/or one or more output devices. The processing elements/machines thuscan access one or more input devices to obtain input data, and canaccess one or more output devices to communicate output data. The inputand/or output devices can include one or more of the following: RandomAccess Memory (RAM), Redundant Array of Independent Disks (RAID), floppydrive, CD, DVD, magnetic disk, internal hard drive, external hard drive,memory stick, or other storage device capable of being accessed by aprocessing element as provided herein, where such aforementionedexamples are not exhaustive, and are for illustration and notlimitation.

The computer program(s) can be implemented using one or more high levelprocedural or object-oriented programming languages to communicate witha computer system; however, the program(s) can be implemented inassembly or machine language, if desired. The language can be compiledor interpreted.

As provided herein, the processor(s) and/or processing elements can thusbe embedded in one or more devices that can be operated independently ortogether in a networked environment, where the network can include, forexample, a Local Area Network (LAN), wide area network (WAN), and/or caninclude an intranet and/or the Internet and/or another network. Thenetwork(s) can be wired or wireless or a combination thereof and can useone or more communications protocols to facilitate communicationsbetween the different processors/processing elements. The processors canbe configured for distributed processing and can utilize, in someembodiments, a client-server model as needed. Accordingly, the methods,devices, and systems can utilize multiple processors and/or processordevices, and the processor/processing element instructions can bedivided amongst such single or multiple processor/devices/ processingelements.

The device(s) or computer systems that integrate with the processor(s)/processing element(s) can include, for example, a personal computer(s),workstation (e.g., Dell, HP), personal digital assistant (PDA), handhelddevice such as cellular telephone, laptop, handheld, or another devicecapable of being integrated with a processor(s) that can operate asprovided herein. Accordingly, the devices provided herein are notexhaustive and are provided for illustration and not limitation.

References to “a processor”, or “a processing element,” “the processor,”and “the processing element” can be understood to include one or moremicroprocessors that can communicate in a stand-alone and/or adistributed environment(s), and can thus can be configured tocommunicate via wired or wireless communications with other processors,where such one or more processor can be configured to operate on one ormore processor/processing elements-controlled devices that can besimilar or different devices. Use of such “microprocessor,” “processor,”or “processing element” terminology can thus also be understood toinclude a central processing unit, an arithmetic logic unit, anapplication-specific integrated circuit (IC), and/or a task engine, withsuch examples provided for illustration and not limitation.

Furthermore, references to memory, unless otherwise specified, caninclude one or more processor-readable and accessible memory elementsand/or components that can be internal to the processor-controlleddevice, external to the processor-controlled device, and/or can beaccessed via a wired or wireless network using a variety ofcommunications protocols, and unless otherwise specified, can bearranged to include a combination of external and internal memorydevices, where such memory can be contiguous and/or partitioned based onthe application. For example, the memory can be a flash drive, acomputer disc, CD/DVD, distributed memory, etc. References to structuresinclude links, queues, graphs, trees, and such structures are providedfor illustration and not limitation. References herein to instructionsor executable instructions, in accordance with the above, can beunderstood to include programmable hardware.

Although the methods and systems have been described relative tospecific embodiments thereof, they are not so limited. As such, manymodifications and variations may become apparent in light of the aboveteachings. Many additional changes in the details, materials, andarrangement of parts, herein described and illustrated, can be made bythose skilled in the art. Accordingly, it will be understood that themethods, devices, and systems provided herein are not to be limited tothe embodiments disclosed herein, can include practices otherwise thanspecifically described, and are to be interpreted as broadly as allowedunder the law.

Accordingly, we claim:
 1. A method of determining whether a set ofassets of an entity has a weakness, the method comprising performing bya processor the steps of: identifying a set of assets comprising atleast one network accessible server by scanning at least one domain or asubdomain identified by a name, using a domain scanner; (a) receivingfrom a first asset in the set of assets a first set of responses to oneor more queries, the first set of responses comprising a first set ofattributes describing identity of one or more potentially vulnerablesoftware components associated with the first asset; (b) analyzing thefirst set of attributes to identify the one or more potentiallyvulnerable software components associated with the set of assets; (c)obtaining, from a repository, vulnerability information on at least oneof the one or more identified software components; and (d) determiningusing the vulnerability information and without testing the one or moreidentified software components subsequent to the identification thereofwhether the set of assets has a weakness.
 2. The method of claim 1,wherein the first asset comprises at least one of a web applicationserver and a secure shell (SSH) server.
 3. The method of claim 1,wherein a response in the set of responses comprises at least one of ahypertext transfer protocol (HTTP) response and a banner.
 4. The methodof claim 1, wherein each response in the set of responses is related toa respective user agent.
 5. The method of claim 1, wherein an attributefrom the first set of attributes of software components comprises atleast one of: a software component name attribute, a software componentversion attribute, and a unique identifier (ID) corresponding to asoftware component.
 6. The method of claim 1, wherein the repositorycomprises at least one of a software component properties database and asoftware component index.
 7. The method of claim 1, wherein obtaininginformation from a repository comprises transmitting at least oneattribute of at least one identified software component to therepository.
 8. The method of claim 1, wherein: the set of responsescomprises a first response comprising a software component nameattribute and a version attribute, and a second response also comprisinga software component name attribute and a version attribute; andanalyzing the first set of attributes comprises: designating as a firstsoftware component a software component corresponding to the nameattribute in the first response; and comparing the name attribute in thesecond response with the name attribute in the first response.
 9. Themethod of claim 8, wherein the name attribute in the second responsedoes not match the name attribute in the first response, the methodfurther comprising designating as a second software component a softwarecomponent corresponding to the name attribute in the second response.10. The method of claim 8, wherein the name attribute in the secondresponse matches the name attribute in the first response, the methodfurther comprising associating the version attributes in the first andsecond responses with the first software component.
 11. The method ofclaim 10, further comprising identifying an older version of the firstsoftware component from at least one of the version attributes in thefirst and second responses.
 12. The method of claim 10, whereinobtaining information on at least one of the one or more softwarecomponents comprises: receiving a first report on the first softwarecomponent using the version attribute in the first response; andreceiving a second report on the first software component using theversion attribute in the second response.
 13. The method of claim 12,wherein determining whether the set of assets has a weakness comprisesevaluating if at least one of the first and second reports indicates avulnerability associated with the first software component.
 14. Themethod of claim 1, further comprising: identifying an additionalsoftware component from the information received from the repository,the additional software component being implied by at least one of theone or more software components identified in step (b); obtaining, fromthe repository, additional information on the identified additionalsoftware component; and determining using the additional informationwhether the set of assets has a weakness.
 15. The method of claim 1,wherein the set of assets comprises a second asset, the method furthercomprising, prior to step (b): (e) receiving from the second asset asecond set of responses to one or more queries, the second set ofresponses comprising a second set of attributes of one or more softwarecomponents associated with the second asset; and (f) adding to the firstset of attributes the second set of attributes.
 16. The method of claim15, further comprising: receiving, in memory, a list of resources; andscanning each resource in the list using a resource scanner configuredto provide domain and subdomain names, to obtain a list of names, eachname being a domain name or a subdomain name associated with an entity,wherein: identifying the set of assets comprises scanning using thedomain scanner a domain or subdomain associated with each name in thelist of names; and determining whether the set of assets has a weaknesscomprises, prior to step (b), repeating steps (e) and (f) for each assetin the set of assets.
 17. The method of claim 16, wherein a resource inthe list of resources comprises one of a domain name, an Internetprotocol (IP) address, and a CIDR block.
 18. The method of claim 16,wherein resource scanning comprises at least one of: port scanning, idlescanning, domain name service (DNS) lookup, and subdomain brute-forcing.19. A system for determining whether a set of assets of an entity has aweakness, comprising: a first processor; and a first memory inelectrical communication with the first processor, the first memorycomprising instructions which, when executed by a processing unitcomprising at least one of the first processor and a second processor,program the processing unit to: identify a set of assets comprising atleast one network accessible server by scanning at least one domain or asubdomain identified by a name, using a domain scanner; (a) receive froma first asset in the set of assets a first set of responses to one ormore queries, the first set of responses comprising a first set ofattributes describing identity of one or more potentially vulnerablesoftware components associated with the first asset; (b) analyze thefirst set of attributes to identify the one or more potentiallyvulnerable software components associated with the set of assets; (c)obtain, from a repository, vulnerability information on at least one ofthe one or more identified software components; and (d) determine usingthe vulnerability information and without testing the one or moreidentified software components subsequent to the identification thereofwhether the set of assets has a weakness.
 20. The system of claim 19,wherein the instructions program the processing unit to: transmit thequeries to the first asset; and determine from the received first set ofresponses if the first asset includes a web application server or asecure shell (SSH) server.
 21. The system of claim 20, wherein: theinstructions program the processing unit to transmit at least one of thequeries according to a user agent; and at least one response in the setof responses is related to the user agent.
 22. The system of claim 19,wherein an attribute from the first set of attributes of softwarecomponents comprises at least one of: a software component nameattribute, a software component version attribute, and a uniqueidentifier (ID) corresponding to a software component.
 23. The system ofclaim 19, wherein to obtain information from a repository, theinstructions program the processing unit to transmit at least oneattribute of at least one identified software component to therepository.
 24. The system of claim 19, wherein: the set of responsescomprises a first response comprising a software component nameattribute and a version attribute, and a second response also comprisinga software component name attribute and a version attribute; and toanalyze the first set of attributes, the instructions program theprocessing unit to: designate as a first software component a softwarecomponent corresponding to the name attribute in the first response; andcompare the name attribute in the second response with the nameattribute in the first response.
 25. The system of claim 24, wherein:the name attribute in the second response does not match the nameattribute in the first response; and the instructions program theprocessing unit to designate as a second software component a softwarecomponent corresponding to the name attribute in the second response.26. The system of claim 24, wherein: the name attribute in the secondresponse matches the name attribute in the first response; and theinstructions program the processing unit to associate the versionattributes in the first and second responses with the first softwarecomponent.
 27. The system of claim 26, wherein the instructions programthe processing unit to identify an older one of the version attributesin the first and second responses.
 28. The system of claim 26, whereinto obtain information on at least one of the one or more softwarecomponents, the instructions program the processing unit to: receive afirst report on the first software component using the version attributein the first response; and receive a second report on the first softwarecomponent using the version attribute in the second response.
 29. Thesystem of claim 28, wherein to determine whether the set of assets has aweakness, the instructions program the processing unit to evaluate if atleast one of the first and second reports indicates a vulnerabilityassociated with the first software component.
 30. The system of claim19, wherein the instructions program the processing unit to: identify anadditional software component from the information received from therepository, the additional software component being implied by at leastone of the one or more software components identified in step (b);obtain, from the repository, additional information on the identifiedadditional software component; and determine using the additionalinformation whether the set of assets has a weakness.